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(54) Method and apiKirstiis tor controlling software access to system resources 

{57) Methods, systems, and software for installing 
and operating selected software appiicatians on a client 
computer that is in commuriicaticn wstfi a server compii- 
ter on a cor^piiter r:etwork are described. In one aspect 
of the preser^ invention, a method tor controtlirig the 
degree of access to operating system resources for a 
software program running on a computer that is running 
said operating system is provided. The degree of 
access to the cpsrating system resoiircss is defined for 
the software program, and at least one file inclwjing 
instructions for eseciiting the software program is 
loaded on the compirter from the server computer. The 
file is ejomined to determine theciegree of system-level 
access available tc the software program when the soft- 
ware program is being executed by the computer. The 
software program is executed, and a program instri;c- 
tion associated with the software program is intercepted 
when the software is being executed on the computer. A 
determination is then mads to determine if the program 
instruction includes an ope.nation that is outside of a 
degree of system-ie>/e! access that is avaii^le to the 
software progra.m. a.nd if it is determined tfiat the soft- 
ware program has permission to access systerrj-level 
resources associated with the computer ttiat are within 
the degree of system-ievel a£x;ess available to the soft- 
ware, the program instruction is e: 
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Description 

BACKGROUND OF THE SNVENTiON 

1 . Field of invention 

The present irivention relates generaily to methods 
and apparatus for cofitrclling the access to co!T7f)L,'tsr 
resources by software running on a computer. More 
specifically, the present snverTtion rsiates tc methods 
and apparatus for ccntfoiiing she access to sysSsm 
f esourcas ors a ciient computer by software downloaded 
So tie client corrputer from a server computer. 

2. Backgrouod 

Prior so the rise of the personal corrjputer, compifter 
users were iimited to operating software that ran on 
iarge, mainSra.fne cojTiputers using terminais that i>pi- 
caily indided a keyboard for srttering data and ccm- 
mands and a video display devics {or printer) for 
viewing output. Although mainframes provided very 
powerfui corrputlng platforms, they suffered from seri- 
ous drawfciad^;. in partiajiar, mainfrarrses were expen- 
sive to irssta!! and operate arsd they required ail users to 
be connected directly to the mainframe through a termi- 
riai. which iimited access to the mainframe for many 
people. In addition, users had very limited control over 
their computing environments, usually having to adapt 
their work st>'les and problert^s to suit the software and 
administraSon of the mainframe conputer 

Beginning in the late 1970's personal conptrters 
began to overtake mairrframes as the dominant comput- 
ing platform fer both personal, business, and scientific 
uses. For single users, personal computers often could 
provide the same computing speed as the ofcier main- 
frames that had to accommodate many processing jofcss 
simultaneously. In addition, software that ran on the per- 
sonal computers became more "user-friendly," thereby 
allowing computer users to adapt both the computer 
a.nd the software lo suit their particular computation 
needs. The release from requiring a connection from a 
terminal to a rrsainfra.me allowed pesanai computers to 
be located just about anyw-here within an organization 
or at home. This capability further assijred the domi- 
nance of the persona! computer over the mainframe as 
computing power could be located at sites where it was 
needed. No longer did users have to tailor their opera- 
tions around iargg, expensrve, finicky mainframe com- 
puting centers- 

As the computing power and data storage capaci- 
ties of persona! computers exf)loded throughout the 
1980s, the dominance of the personal computer 
saeme«i so be assured. As 1980s drew to a close, 
however, a new phenomenon began to emerge which 
appears likely to overtake the persona! computer revo- 
lution of the past two decades. Today, ever increasing 
numbes s of pe.'sonal computers are linked to eac^ other 



through high speed data networks. The most popular 
network currently is the "Internet" which is She network 
comprising various business, academic, -and parsonai 
computer sites across the globe. The pcH3uia'ity of the 

3 Internet, and, mae particuiariy, that aspect of She Inter- 
nes referred to as the "World Wide Web," has prompted 
many o.fganizafions to form internal computer networks, 
which are often referred So as "intranets." This interest in 
network computing has been sparked by a con*!inaSion 

JO of high speed data netwforks and increasingly sophisti- 
cated network servers, routers and other devices which 
allow many independent persona! computers to com- 
municate efficiently. 

The att.-acf ivensss of the World Wide Web stems in 

IS part from its highly vssuai character, the same fecior that 
played a iarge role in the rise of me personal computer 
and its dominance over the mainfra.me. Typically, ttie 
World Wide Web is organized into various "web sites" 
which typically comprise s senrer Siat transmits data to 
s ciienS computer running a 'tJrowser," The browser is 
software that prff^/ides a user with s window and various 
controls through which data from the server can be 
viewed and navigated. A parSicuiariy useful feature of 
World W^de Web data is its ability to be linked through 

2S ttypertext commands such that users can quickiy navi- 
gate from one document to another and &jQn from one 
web site to another throtigh very single irrtuitivs com.- 
mands such as the activation of a mouse button. Using 
the World Wide Web. users can view and/or download 

30 text, graphics and hear sounds from sites all over She 
globe. In addition users can also download nm soft- 
ware, or software capate'S of -rradifying programs 
already installed on the client computers. 

Tnese same features available to users of the 

35 World Wide Web on the internet can also be provided to 
users of a local network through an "intranet", a non- 
public conputer network that includes clients and serv- 
ers arranged analogously to the Internet This capability 
has received increasing attention from many organi^a- 

"so tons as information useful to empioyees carrying out 
their assignments can be distributed quickly throughout 
the network to persona! computes-s within the organiza- 
tion. In particular, r?iany organizations are utilizing 
intranets to prowde access to databases and custom 

4S software programs for individuals in the organization 
using such i.ntranets. For exampie custom software 
applets created using the Java™ programming lan- 
guage {availabSe commerdaiiy from Sun l^icrosystsms 
of Palo Alto, California), can be operated in conjunction 

sc with software and data airsady installed on the remote 
computer which is either external or internal to the 
int'anet to provide users access tc data and software 
specific to their job tasks without the difficulties associ- 
ated with disseminating and maintaining many copies of 

55 special-purpose software as has been done tradition- 
ally 

It is often desirable for softv^'are distributed through 
a secure intranet to have full access to the system. 
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resources of tins ciiem computer; whereas software dis- 
tributed over less secu's networks external to the 
irttranet system gsnecaiiy are aiicwed littie or no access 
to system resGorces, such as f iis nrioving capabilities, as 
such software cannot aiways be 'rusted. For example, 5 
some software applicatiofis inciijcie functions Ifiat install 
corrtpLiter viruses ors She host corripiiter. Other software 
application may cc^y, alter, or delete critical data from 
She host computer and tsven forward that data to another 
conputer system surreptitiou^y Unfortunately, there Is ro 
n.o viable method or apparatus to enable trusted soft- 
wars to access certain resourcss while restricting other 
software frorr: accessing the same resource. Users are 
therefore left with a trade-off between enabling all soft- 
ware (trusted or suspect) access all system resources 15 
or limiting the access of ail software in an effort to pre- 
serve the security of the client system 

Thus, it would be of great benefit to computer users, 
and sspsciaiiy computer users within organizatiais In 
which multiple compsjtsr users are connected through a 20 
computer network, to provide methods and systems for 
controlling resource access for both informatioti and 
software over the network so that the above-described 
problems associated with highly decentralized compu- 
ter networks can be mitigated. As will be described here 2S 
and below, the present \m&nm meets these and other 
needs. 

SUMMARY OF THE iNVENTiOM 

The present invention addresses the above- 
desaibed difficulties in managing software distribution 
across networked computers by providing, in one 
aspect, a method, system, and software for controlling 
the access to server resources by sheeted software 3s 
applications on a first computer acting as a cilert com- 
puter that is in communication with a second computer 
acting as a setver computer on a corrputer network. 

in one a^ect of the present irjvention. a method for 
controlling the degree of access to operating system 4c 
resources for a softwa'e progra.m running on a compu- 
ter. The degree of access to the operating system 
resources is defined for the software program, and at 
least one file inckiding instructions for executing the 
software program is ioaded on the computer. The file is 45 
examined to determine the degree of systsm-ie.'el 
access available to the software program when the soft- 
ware program is being executed by the computer. The 
software program is executed, and a program instruc- 
tion requesting access to secure resources associated so 
with the scftwa,'e program is intercepted whai ihe soft- 
ware is being executed on the computer A determina- 
tion is then rrsade to determine if the program instruction 
ifKiudes an operation that is outside of a degree of sys- 
tem-levsi access that Is available to the software pro- ss 
gram, and if it is determined that the software program, 
has permission to access system.-levei resources asso- 
ciated with the computer that are within She degree of 



sy5tem-le*<-el access available to She software, the pro- 
gram instruction is executed. 

In another aspect of the present invsnlion, a 
method for cofTtrolling the degree of access to system 
resources for a software program running on a dient 
computer that is running the operating system, where at 
least some of the operating system resources reside on 
a server computer that is coupled with the client compu- 
ter, is provided. The degree of access to the operating 
system resources for the software program is defined, 
and at least one file including instructions for executing 
the software program on the client cotr^puter is loaded. 
The file is examined to determine the degree of syssern- 
ievei access available to the software program when She 
software program is being exiscuted by She client com- 
puter. The software program is executed on the client 
computer, and a program irjstruction associated with tie 
software program is intercepted wher? the software pro- 
gram is being executed on the client conputef. A deter- 
mination is mads regarding whether the program 
instruc^on includes an opesation ihaS is outside the 
degree of system-Sevei access availabie to the software 
program, and when it is determined that the software 
program has permission to access system-level 
resources that are within the degree of system-level 
access avaiiabis to the scjfSware program., the program 
instruction is executed. These, and other aspects and 
advantages of She present invention, will become appar- 
ent when the Description below is read in conjunction 
wish the accompanying Drawings. 

BRIEF OESCRiPTiON OF THE DRAWINGS 

The invention, together with further advantages 
thereof, may best be understood by reference to the fol- 
lowing description taken in conjunction with the accom- 
panying drawings in which: 

Fig, 1a is s diagrammatic representation of a wide 
area computer network in which both users and 
intranets are coupled by a computer network 
through the Internet. 

Fig. 1b is a diagrammatic representation of a con- 
ventional intranet system. 
Fig. 2a is a diagramrjiatic representation of a collec- 
tion of class files in accordance with an embodi- 
ment of the present invention, 
rig. 2b is a diagrammatic representation of an 
archive file data format in accordance with an 
embodiment of the present inve.ntiGn. 
Fig. 3a is a diagrammatic representation 0? a client- 
side directory structure ^f^ accordance with an 
embodiment of the present inventior. 
Rg. 3b is a diagrammatic .reprsseritaticm of the 
structure of a client-sicJe configuration file in accord- 
ance with an e-mbodimei-st of the present invention. 
Fig. 3c is a diagrammatic representation of the 
structure of a dient-side access file in accordance 
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DETAiLSD DESCRiPTiON OF THE DRAWINGS 

Certsirs embodiments of a method and apparatus 
for controSSing tha access by appiets to system 
resources wiii be described beiow making reference to 30 
the acconrpanying drawings. 

An iHustration of one network in accordarsce witti 
the present invention is provided in Fig. Is, included in 
the network iilifstratsd In Fig. 1a are intranets 102 and 
104 and an individLiai exler.nai compifter shown at 106. 35 
The structure est intranets 102 arid 104 is descriised in 
greater detail beiovy respect So Fig. lb. Both the 
intranets and tne user are connected to tne computer 
network through a variety of computer gateways 
C'Q/W). in some erribodiments, the conputer network 4o 
inciiides the internet. Referring to Fig. la mere ^ecifi- 
caiiy, intranet 102 is coupied with intranet 104 and user 
106 through the internet which is shown generaiiy at 
108. The connection between iniranet 102 and the 
Internet 108 is provided first girough a gateway 110 4S 
which is coupied with intranet 102 and a "backisone." or 
high capacity datsiine 112. Data from a high capacity 
iine 112 ss routed throisgh gateway 114 throtjgh the 
internet 108 which data passes through a second gate- 
way 116 and into high capacity dataiine shown at 1 18. so 
As wiii be appreciated by those of skiii in the computer 
network arts, dataiine 1 18 can be the same as dataiine 
112, or may represent a sepajate backbone to which 
various other individuals, or users, an6 networks are 
coupled. 55 

Data that f-aveis from intranet 102 through the 
internet 108 and over high speed dataiine 1 18 passes 
th.roijgh gateway i20 io intranet 104 or through gateway 
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124 to user 106. Thus, according to tfie iJiustrated 
embodiment, data can be passed among user 106, 
!n*janst 104, ar^d intranet 102. in particuiar, the data 
may travei trough the Internet 108 as just described, or 
may pass across backbone 1 18 between user 106 and 
intranet 104, in some embodiments, intranet fG4 and 
intranet 102 can be coupied directiy through network 
configurations known to those of skill in the art as 
"axtranets". Extjanets are network a.'-rangements in 
which a given network or individua! is coi^isd with a 
remote n^-ork through a dedicated data connection. 
This connection may include data that is routed through 
the internet, as iiiust.'Sled in Rg. la, or may be a direct 
data feed, such as through an !SDM or T 1 dataiine. Var- 
ious conf igursfions in addition to methods and matsriais 
for estatjiishing such configurations wiil be apparent to 
^ose of skill in the computer network and telecommuni- 
cafions arts. 

One embodiment of an intranet, such as iilustratsd 
in Fig. Is at 102 or 104. is provided in Fig, lb at 50. A 
typical intranet SO incfudes a server €0 which is cos4>led 
with clients 62 and 64. in addition, server 60 can be cou- 
pied tc other client computers such as shown at 70, 72, 
and 74 through a router, hub or similar data transfer 
device such as shown at nods 58. In addition, remote 
dients (not sitown) can be conneasd to serv^- 60 either 
through 3 direct line cs- through the use of telephone 
lines using, e.g. , a modem or similar device, in sofT>c 
cases, access to intranet 50 will be controSled to a high 
degree by a "firewaiS" configuration which is iiiustrated 
by the box 75. The establishment of communications 
from users externa! to the firewall, such as remote dient 
78, can be achieved by traversing a gateway which 
allows access to the protected server. Such a gateway 
is iiiustrated at 76. 

Tj^icaliy, a server provides data atxi software that 
is accessible to the various clients which are in commu- 
nication with the server, either directly or through a 
df3vice such as a router. The construction, maintenance, 
and operation of the serv8.^ router, and various client 
machines will be weil known to those of skiii in She art. 
In some particular embodiments, server SO wiil be con- 
figured fo provide data that is compatibis with browser 
software such as that used to view data on the World 
Wkie Web. SpecSically. the data provided by server 60 
will be in the form of pages of data that can be examined 
using typical browser softwa'e. In one embodiment, the 
server and clients are configured to exchange not only 
data but computer software in She form of "applets," 
such as those written in the Java™ programming lan- 
guage available from Sun Microsystems of Paio Alto, 
Califbrriia. "Applets" as used herein are softwars pro- 
grams that are configured to be passed from a source 
computer, typically a server, to a ciiert machine and .■'un 
in conjunction with software aiready installed on the cli- 
ent, in one emtxsdiment, the software with which the 
applet runs is the above-described browser software. 
Typically, apfslets provide additional functionalities to 
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with an embodiment of the present iiwention. 
Fig. 3d is a diagrammatic rspreserstaSion of the 
structure of a ciisnt-sids group specification file in 
accordance with an embodiment of the present 
invention. s 
Fig. 4 is a pmcess flow diagram which illustrates a 
method of executing a request to access a resource 
in accordance with an embodiment of the present 
ifwef?t!an. 

Fig. 5 is a process f iow diagram which iliustrates the w 
steps associated with validating class files in 
accordance with an embodiment of the present 
invention. 

Fig, 6 is a process flow diagram which iliustrates the 
steps associated with executing an applet in rs 
accordance with an embodiment of the present 
invention. 

Fig. ? is a prc^ess flow diagram which iiJustrates the 
steps associated with calling a security manager in 
accordance with an embodiment of the present 20 
invention. 

Fig. 8 is a diagrammatic representation of a compu- 
ter system in accordance with the present inven- 
tion. 
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browser software by performing various computational 
tasks which the browser software itseif is not configured 
to perform. Thus, users who ciowntoad applets oar pro- 
vide the browser software with aciditiona! functionalities 
that are r5ot otherwise svaiiJtoie to the browser software. « 
Such additionai capabilities can include, e.g., custom 
interfaces to a database. 

in genera!, a ciieni, as for exarnpie client 62, calls 
into sewf 60 using a yser agent, or a browser. iJssr 
agents inciuds, bin are not ismftsd to, HotJava"* , availa- io 
We from Sun Microsystems, Incorporated of Paio Alto, 
California, and Netscape, available from Netscape 
CorrsfTsunicatior^ Corporation of Mountain View, Califor- 
nia, in one en^odifnertS. the user agents generally 
includes a processing engine which executes the applet j5 
cods, and a secui-ity rr^anager used in -hs deterrriination 
of whether an applet has access to certain system 
resources. SxarT?5tes of such a security manager are 
provrided herein below. 

According to one embodiment, a server, located 2o 
either on the Internet or within an irstranet, provides 
class libraries which contain class files ttsat define an 
applet. One exarrpie of such a class library is a Java"* 
class library. Specifically, a se.rver can contain the class 
files that rrake up the applet, and the particular Web 25 
pages including HTML code that references the applet. 

According to one embodiment of the present inven- 
tion, apj^ets ars instantiated from class files that are 
downloaded from a source computer, or & server, to a 
client .machine. The dass files fr,ay bs grouped together so 
into an archive tiSe. Further, an archive file can be digit- 
ally signed, or otherwise marked, such Siat the origin of 
an appiet created from the archive file can be reliably 
determined. The signature of an archive file can then be 
verified in order to determine which system resources 3S 
are accessible to the machine on which the applet is 
executing. The use of signatures enables the access to 
system resources of the client machine by the applet to 
be cont'Oiled, s.g. , by reference to the security status of 
the server from where the appiet origirjated. By way of 40 
exsmpla, an appiet executing on one client may have 
different access privileges than the same appiet execut- 
ing on a sscord client by virtue of the fact that the per- 
missions associated with the applet on each client may 
be different. This resou.'ce access con&o! therefore sna- is 
bfes applets associated with secure machinfss, e.g.. 
machines in the same intranet as the machine which 
contains the resources, to have more access to 
resources than applets associatad with unsecure 
machines, e.g. , machines on the internet. sc 

Fig. 2a is 3 diagrammatic representation of a collec- 
tion of class flies in accordance with an embodiment of 
the present Invention. The fermat of the collection of 
class data fites, which is generally used on a server, is 
no! arranged to accept signatures. That is. each dass ss 
file typically defines a class residing on a server. The 
for rriat is such that the collection includes: any number of 
classes, as for example class "V 202, class "2" 204, 



and class "N" 206. A class may be defined as a software 
construct that defines data and methods, or sequences 
of statements that operate on the data, which are spe- 
cific to any applets that are subsequen«y constructed 
from that class, in other words, as prsviousiy stated, an 
applet may be constructed by Instantiating a previously 
defined class, it should be appreciated that a single 
dass may be used to construct many applets, 

T?ie sxecutiors of an af^iet usually entails requests, 
or comma,nds, to access system resources. While an 
appiet may contain instructions to access ma.ny differ ant 
system resources, due to ssctjrity concerns, an af^ef 
is either allowed access to al! of the specified system 
resources or access to rsone of the specified system 
resources under present design restraints. As dis- 
cussed above, this -aii-or-nothirig" approach to system 
resource access is often undesirable in that an applet 
running within an intranet system, for example, is 
"trusted," e.g., of Known origin, while an equivalent 
appiet running eslernally to the intranet system is con- 
sidered to be unsecure. As the appiet running within the 
intranet system and the equivalent applet running exter- 
nally are typically given the same access privileges to 
system resources, in order to maintain the security of 
the intranet system, the ay^sts are generally given .10 
access privileges. 

The ability to selectively cos-strc^ applets fnam 
accessing resources enables a user wrthin an intranet 
system to restrict access to resources on an individual 
applet basis. Including a "signature," or an identifier, 
with class files that are used to instantiats an applet is 
one method which serves to enable an ir^anet organi- 
zation to selectively control applets, Signing, or mark- 
ing, class files such that it is possibis to det^rnine 
where the dass files originated enables an intra^et sys- 
tem to determine the appropriate access privileges 
associated with an applet instantiatKi from the dass 
files. In additjcm, signing class flies further enables a 
determination to be made regarding whether a class file 
has been tampered with. An archive file structure whidi 
permits a group of class files to be digitally s<gnsd will 
be described below with respect to Fig. 2b. 

8y providing an archive file which can be digitally 
signed, it becomes possible to enable an applet either 
internal and e.xternal to an intranet system, that is con- 
strijcte-d from the class files associated wi^ the archivs 
file to access selected system resources within the 
intranet system. Checking the digitai signature of the 
archive file makes if possible to determine whether 3 
given applet has been tampered with, and which com- 
ptiters have signed the appiet. As such, access privi- 
leges may be allocated based upon whether the appiet 
originated from a secure, or trusted, host or from an 
u.nsecure host. In addition, in some embodiments, ths 
allocation ot access privileges enables users to decide 
which hosts are to be trusted and which are not to be 
trusted, 

Rg. 2b is a diagrammatic r-^fese.ntation of an 
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archive fiis data foroiat in accordance with sn embodi- 
meffl of the pi-esent irwsrrtion. ■« the descrfced embodi- 
ment, the archive famat is a Java™ archive (JAR) 
format Archive, or archive file, 210 isiciodes a iisader 
signature 212 which is the agnature that is t>picai!y 5 
iise<3 by a iser agent to verify the validity of arcttive 21 0 
and to determine the Jsveis of access available to 
archive 210. in general, header signature £12 is a digital 
signature which may be a part of a general header that 
contains other information which information includes. 10 
but is not limited to, information cofT&sponding to the 
size of archivs. Archive 210 has any numiDer of 
associated classes, as for example class "1 " 202, class 
"2" 204. and class "jM" 206, from which applets and 
associaied ofajsjcfs are instantiated. ,5 

AdditionalSy, archive 210 may have associated data 
blocks, as for example data block 214. Data block 214 
rnay contain imssss, text, or any arbitrary data that is 
considered to be a part of archive 210. In one embodi- 
ment, data block 2i4 rsiay contain a text string that so 
desaibes classes 202, 204, and 206 that are associ- 
ated with archivs 210. it should be appreciated that in 
other embodiments, archive 210 may not include a data 
block. 

Referring next to !=ig. 3a, an embodiment of a cii- ^s 
ent-side directory structure will be described in accord- 
ance with the present invention. A user who makes a 
request to access a resource throiigh a client generally 
irrterfeces with a user directory 302. User directory 302 
has an associated browser directory 304 which con- 3v 
tains information relating to a browser, or a user agsrrt. 
Tfie browser may be any suitable browser, as fcr exam- 
pie the Hotiava™ browser as mentioned above. 
Browser directory 304 induces a properties file 306 that 
is appropriate to the request made by the user. Proper- 35 
ties file 306 typically includes user preference iterro 308 
which are generally browser specifications that are pro- 
vided by the user. These deifications m,3y include, but 
are not limited to, data relating to browser set-up and 
behavioral properties associated with the browser. 40 

Properties fiie 306 further includes information that 
is relevant to the partiajfar request made by the user. 
By way of example, Sijch information can inclutje an 
images data block 310, a configuration file name 312, 
and a group ^ecification fiie riame 31 4. In one emtsod- 4s 
iment, images data block 310 includes data file names, 
'.e. , strings, which identify any images that are associ- 
ated with the request. A configuration file name 312 is a 
sfing that identifies a configi^-ation file which is used to 
facilitate the mapping of a requested resource to asso- so 
ciated security descriptors. One exampie of a configura- 
tion file will be described below with reference to Rg. 3b 
Group specification ('spec") fiie name 314 is a string 
which identifies a group specification file, as will be 
desciibed beiow with respect to Fig. 3c. 55 

Fig. 3b IS a diagrammatic representation of ttie 
structure of a configuration fife in accoidance with an 
embodiment of the present irrventicn. Configuration fiie 



350 is an sxanrjple of a configuration file identified by 
configuratiort file na.me 312 as mentioned above with 
respect to Fig. 3a. Configuration fiie 350 includes a 
tabie 352 which associates resources 354 on a server, 
i.e., a server which the client wishes to access, wfth cor- 
responding access file .names 356. That is, tatsle 352 
associates an entry in the resources "column" 354 with 
a corresponding entry in 8ie access file names "col- 
umn" 3SS. Resources 354 are gensraily classifiers 
w.hich identify various system resources, as ior example 
f iies, hosts, and socket numbers. Access file names 3S6 
idenWy corresponding access files which contain secu- 
rity descriptors and other information that is relevant to 
the control of access to system resources with which 
access files are associated. The structure of an access 
file will be described in more detail below with reference 
to Fig. 3c. It should be appreciated that due to the feet 
that more than one resource 354 may share the same 
security descripto.', access fiie names 3SS and, there- 
fore, access files, may be associated with more ttan 
one resource 354. 

Rsfen-ing next to Fig. 3c, the structure of an access 
file will be described in accordarKe with an embodiment 
of the present invention. Access fiie 360 generally 
includes a table 361 which associates principals 362 
with permissions 364. Principals 362 may be individual 
hosts or groi^ of hosts. By way of example, 'java.com" 
may be an individual host, i.e. , a server, which is a prin- 
cipal 362. Alternatively, lava.com" and "sun.com" may 
form a principal 362 that is a group. In some embodi- 
ments, principals 362 can also be the signers of partic- 
ular arcfiives. Permissior^s 364 provide groupings of 
security descriptors. That is. permissions 364 are 
gro!4)ings of security descriptas which designate the 
resources that principals 362, with which permissions 
354 are associated, have access. 

Rg. 3d is a diagrarrimatic representation of a group 
specificatson ("spec") file format in accordance with an 
entsodiment of the presertt invention. As mentioned 
above, the group specification file name 314 of Fig. 3a 
identifies a group specification fiie, as for example group 
specification file 370. Group specification file 370 
includes; a table 37i that associates group names 372 
with any number of members 374. Group names 372 
are essentially identifiers that may be used to identify a 
group of member 3?4. By wraiy of example, a group 
name, as for exsj-npie group "1" 372a, may be associ- 
ated with any number of members, as for example 
member 374a and member "2" 374b. It should be 
appreciated that a member, as for example member "1" 
374a, may be asscxjiated with more than one group 
name 372. 

Fig, 4 is a process fiow diagram which iilustates a 
method of executing a request to .access a resource in 
accordance with an embodiment of fte present inven- 
tion. The process begins at 402 and in a step 404, a call 
is made from a requesting client, e.y. , client 74 of Rg. 
1b. to a server, e.g.. ser^/er SO of Fig. lb, to initiate the 
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download of either at least one dass fiie. as described 
with respect to rig. 2a. or an archive fiie. as 
described above witti rc-spect to Pig. 2b. The request is 
rsosived on the server in response to a client caii made 
through a user agent, i.e.,s. briy>vser, as fof example a 
HotJEft'a'" browyser of a Nieiscape Navigator browser as 
prsvioi,:s!y mentioned. The snitiafior, of the downloading 
of either at least one class fiie or an archive fiie occurs 
in response to a request to access a resource and, 
hence, is a csii to execute an applet. !n one preferred 
embodiment, the archive file is a JAR fiie. 

in 5 st8f; 406, either the archive fiie is loaded or the 
ciass files are loaded from the server imo menTory asso- 
ciated with the requesting ciisr.*. In general, class files 
are iosded if the classes are not in an archive fiie, e.g.. 
r^ot digitaiiy sicned, and an archive fiie is loaded if the 
classes are digitally signed. It s.houid be appreciated 
■hat the archive fiie has associated class files. .As such, 
loading t.he archive file involves loading dass files. After 
the ciass f lies are loaded into niemory, a vaiidafion proc- 
ess is performed on the ioaded files in a st^ 408. The 
validation process, which includes She process of verify- 
ing whether the header sigr^ature asscsdatsd with a 
ioaded archive fiie is vaiid, in the everrt t.hat an archive 
file has been ioaded, wi!i be described below with refer- 
ence to Fig. 5. 

After the validation process, in a sts5p 410, the dass 
fiies are corwertsd into an applet. That is. an ^piet is 
created in memory by instantiating the ioaded class 
files, which may or may not be a par! of a JAR file. Once 
theappset is aeated, the applet fiie is executed in a step 
412. The steps associated with the execution oi an 
appJst wiil be sisscribsd beiow with respect to Fig. 6. 

Fig. 5 is a process flow diagra.m which iilusfrates the 
steps associated witfj vaiidating dass fiies, I.e.. step 
408 of Fig. 4. in accordance with an emtoodinrisnt of the 
present irwention. The process begins at step 502. and 
in a step S04, a determination is made regarding 
whether an archive file or a class file has been ioaded. 
if a class tiie has been ioaded. then process fiow pro- 
ceeds to a step .505 in which a standard ciass verifica- 
tion is performed. A standard dass verification typically 
includes a checi^ of aii tcsaded class fiies and. therefore, 
classes, in o.'der to ascertain whether anything in the 
ciass fiies may compromise security, in some embodi- 
ments, a ched< is rnade to deferrrine if the security of a 
virtual machine, as for s.K3mple a Java™ virtuai 
machine, can be compro.mised. Standard ciass verifica- 
tion methods are generally well Known to those of ordi- 
nary skill in the art Once the standard ciass verification 
iS performsd, the process of vaiidating the dass files is 
completed at ,520. 

if the determination in step 504 is that an archive 
fiie has been ioaded. then in a step 508, the header of 
the archive fiie is validated, or authenticated. The vali- 
dation of She archive file gerssrally involves an identifies- 
lion of the origin of the archive file based upon the 
header signature. That is, a check is made to establish 



the origin of the header signafejre a.nd, therefore, the 
archive file. The validation may also include a check of 
whether data associated with the archive file is intact. It 
should be appreciated that in some embodiments, an 

s archive tils rriay not include a header signature. By way 
of axarrple, an archive file within an intranet may not be 
signed, in a step 510, a determination is made as to 
whether the header is vaiid. If the header is not vaiid, 
e.g. , the content of the archive doss not oorresporid 

10 with the signature, then in a step 514, an error flag or 
the like is .raised, in one errtiodimem, the error flag may 
result In an sxception being thrown. In anc^her embodi- 
ment the error fiag may resutt in a message being 
returned to the requesting client. After the error flag is 

ts raised, the process of vaiidating ciass fiies ends at 520. 
if the header is fourxJ to be valid in step 510. proc- 
ess flow moves from step 510 to a step 512 which is the 
determination cf whether any dasses associated with 
the archive file remain to be validated. If there is a dass 

so to be validated, then in a step 51 6. a standard dass ver- 
ification is performed. As previously deserved in step 
506. 3 standard dass verification indiides a check of 
whether anything in a given dass may compromise the 
security of a virtual itjachine. By way of example, the 

ss security of a virtual machine may be con^rcmised if 
sorriething In a given dass car? ovenwrifa files or mem- 
ory on the virtual machine. After the standard ciass ver- 
ification is completed or; the given ciass, process 
corttroi returns to step 512 in which a determination is 

30 made regarding whether there are any more classes 
which are to be validated. Process control ioops 
between steps 512 and 516 until a determination is 
made in step 51 2 that no more dasses remain to be val- 
idated, at which pant the process of vaiidating dass 

35 files is completed at 520 . 

Fig. S is a process flow diagram which illustrates the 
steps associated with executing an applet in accord- 
ance with an embodiment of the pr esent invention. That 
is, step 412 of Fig. 4 will be described. The process 

40 begins at 602, and, in a step 604, a determination is 
m.ade as to whether applet oorrtains an instruction to 
execute an operation. The operation may generally be a 
call to access a system-level resource. If the applet 
does not contain an inst.ruction to execute an operation. 

4S then the process of executing tf?e applet ends at 616. if 
the applet does contain an instruction to execute an 
operation, then process flew proceeds to a step S06 in 
which it is determined whether the operation to be exe- 
cuted !S s protected, e.g.. secured, operation. That is. a 

so determination is mads regarding whether the operation 
is an operation to which access is controlled, if it is 
determined that the operation is not protected, then the 
operation is executed in a step 508, and process fiow 
returns to step 604. which is the deter.mlnation of 

55 whether there is an instruction to execute ano^er oper- 

If it is determined in st&p 606 that the operatiort in 
She instruction to execute is prcjtec^ed. then process fiow 
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rrsoves to a step 510 in which the appiet security man- 
ager is called. The process of caiiing the security man- 
ager wiii be describscJ in more detei! below with 
rafsrence to Fig. 7. The appiet security rrianager typi- 
caiiy oontrois tlie operations which are accessible to 
given applets, in one embodiment, the applet security 
manager is s Java™ appiet security manager. !n a step 
612. it is determined whefter the operation is ailowed, 
in other worcte, st^ 612 is the determination of whether 
the appiet has access to the operation which is to be 
exscuted. if me operation is ailowed. then the operation 
is executed in step 608, From step 608. process control 
returns to step 604 which is She dstermina^on of 
whether aiere is sn instruction to execute anoth«- oper- 
ation. 

If the determination in step 61 2 is that the operation 
is no* allowed, then an error condition occurs, which can 
be iniplemsnted by having an exception is thrown in 
step 614. and the process of sxecutsng the appiet ends 
at 616. it should be appreciated that in sofrie errsbodi- 
n:^ents, the step of throwing an exception may involve 
caiiing a throw function. In other embodiments, the step 
of thrcwtng an exception may invoive transmittirig an 
error message which rray be displayed by a user agerrt 
that is associated with the requesting client, in still other 
ermjodiments, the error handiing may cause an interac- 
tion with the user to occur in the form of asking whether 
the user approves She performance of the operation by 
the appiet. In such embodiments, access files can pos- 
sibly be updated to permanently record the response 
provided by the user. 

Referring r>ext to rig. 7, the process of calling a 
security manager, i.a., step 610 of Fig. 6. will be 
described, it should be af^reciated thai a user agent 
generaity has oniy one associated security manager. 
The ps-Qcess of caiiing a security manager begins at 702 
and In a step 704, Vns operation which is being called by 
the appiet is identified. AJthough the operation may be 
any one of a number of operations, tf^e operation is gen- 
erally a read operation or a write operatiofi. From step 
704, process ficw proceeds to a step 7G6 in which the 
name of the iesource associated with the operation is 
identified. In some embcdimerits, the name of the 
resource is passed irttc tfje caii to the security manager 
and, hence, is readiiy identified. However, when the 
name of the resource Is not passed into the call, the 
properties file, as previously described with respect to 
Fig. 3a, may be ujisd to identif>' She associated 
resource. 

Once the associated resource is identified in step 
706, the name cf the access file whicti co.rresponds to 
the resource is identified using the configuration file, 
which was described earlier with respect to Fig, 3fc, that 
is associated wi* ttie appfef. Permissions correspond- 
ing to the appiet are Sien obtained Sro.m the access fiie 
in a step 7io. it should be appreciated that in some 
embodiments, the appropriate access file may be a rep- 
reserstation of the actual access file in memory The 



access file, as described above with respect to Fig. 3c, 
associates individual hosts or groups with a set of per- 
missions. After the permissions are obtained, the caii 
the security manager is corrspieted at 712. 
s Fig. 8 illustrates a typical computer system in 
accordance with the present invention. The computer 
system 830 includes any number of processors 832 
(also referred to as central processing unite, or CPUs} 
that is coupled to .memory devices including primary 
to storage devices 8a4 {typically a read ortly memory, or 
ROM) and primary storage devices 836 (typicaiiy a ran- 
dom access memory, or RA^A). As is well known in »5& 
art. ROM 834 acts to transfer data and insfe-uctsofis uni- 
dirsctionally to the C.pu and RAM 836 is used typically 
f.^ to iransfer data and instnjctions in a bi-direcSiona! man- 
ner. Both primary storage devices 834, may include 
any suitable conmiter-readabie media as described 
above. A mass memory device 83S is aiso coupled bi- 
directionally to CPU 832 and provides additional data 
so storage capacity. The mass rriemory device 838 may be 
used to store programs, data and the like and is typicaiiy 
a secondary storage medium such as a hard disk that is 
slower than primary storage devices 334, 836. Mass 
msnrrary storage device 838 may take t\s form of a 
2s magnetic or paper tape reader or some other weil- 
known device, it will be appreciated that the information 
retained within the mass memory device 838. may. in 
appropriate cases, be incorporated in standard fashion 
as part of FiAM 836 as virtual memory, A specific tnass 
30 storage device such as a CD-ROM 834 may aiso pass 
data uni-directionally to the CPU. 

GPU 832 is also coupled to one or more input/out- 
put devices 840 that may indude, but are rjot iimited to. 
devices such as video rrKsnitors, track balls, mice, key- 
35 boards, microp.hones, touch -sensitivs displays, trans- 
ducer card readers, magnetic or paper tape readers, 
tablets, stj-iuses, voice or handwritirjg recognizera. or 
other weii-kncwn input devices such as, of course, other 
computers. Finally, CPU 832 optionally may be coupled 
^0 to a computer or telecommunications networi^, e.g.. an 
Internet network or an intranet network, using a network 
connection as shown generally at 812. Vifith such a net- 
work connection, it is contefrpiaSsd that the CPU might 
receive information from *e r»etwcrK or .might output 
05 information to the network in the course of perfor.ming 
the above-described method steps. The above- 
described devices and materials wiii be familiar to those 
of skill in the computer hardware and software arts. Fur- 
ther, it should be appreciated by those skilled in the .girt 
so that the above desaibed ha--dware and software ele- 
ments, as well as networking devices, are of standard 
design and construction. 

The coniputer-implemented methods described 
herein can be implemented using techniques and appa- 
S5 ratus that are well-known in the computer science arts 
for executing computer program ir^structions on compu- 
ter systems. As used herein, the term "conputer sys- 
tem" is defined tc include a processing device (such as 
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a centra! procsssirsg unit. CPU) for processing data and 
instrijctions that is coupied with one or more data stor- 
age devices for exchanging data and instructions with 
the processing unit, inciuding. bur not itmited to, RAM, 
ROM, CO-RCM, hard disks, and the iiks. Ths data stor- 5 
age dei,'ices can be dedicated, i.e. , coup! ad directiy with 
the prcx;essing unit, or remote, i.e., coupied with the 
processing unit over a computer network, it shouid be 
appreciated that remote data storage devices coupied 
to a processing unit over a conrputer networit can be ro 
capaMe of sending program instructions to s processing 
unit for execution on a particular worl^tation. !n addi- 
tion, the prcscessing device can be coupied with one or 
more additior.ai processing devices, either through ths 
same physicai structute (e.g., a paraiSei processor), or ;s 
over a computer network {e.g., a distributed proces- 
sor.). The use of such remotely coupled data storage 
de-rfices and processotB wii be familiar to those of skill in 
the computer science &ns {see. e.g., Ralston 1393). 
The term "computer network" as used herein is defined 
to include a set of communications channels r.Ttercon- 
necting a set of computer systems that can ccmrrtuni- 
cate wish each other. The communicatiorss chanr^els 
can inciude transmission media such as, but not limited 
to, twisted pair wires, coaxial cabie, <!ptica! fibers, safel- 25 
lite links, or digital microwave radio. The corrpufer sys- 
tems can be distributed over large, or "wide," areas 
{e.g.. over tens, hundreds, or thousands of miles, 
W.AiN). Of local area networks {e.g., over several feet to 
hundreds of fest. LAN). Furthermore, various local-area 30 
&r«i wide-area networks can be compined to form 
aggregate netA-orks of conputer systems. One example 
of such a confederation of corrputer networks is the 
"Inter nest". 

Although only a few errtoodiments of the present 36 
irrvsntion have been described, it should be understood 
Siat the presffiit invention may be embodied In many 
other specific forms without departing from the spirit or 
the scops of the present inverrtiors. Sy way of example, 
although only one corrfiguration of an archive file data 4c 
structure which may be signed has been described, it 
should be appesciaEed that the archive file data struc- 
ture may be widely varied within 8ie scope of the 
present invention. Further, steps involved with a method 
of executing a request to access system resources may 45 
be reordered. Steps may also be removed or added 
without depart!.ng from the spirit or the scope of the 
pressm invention. Therefore the described etrtsodi- 
ments should be taken as illustrative and not restriaive, 
and the invention shouid be defined by the fcliowing so 
claims and their full scope of equivalents. 

Claims 

1. A method for controlling the degree of access to 55 
operating system resources tor a software program 
running an a conputer wtsich computer is running 
said opei-ating system, the method con^rising the 



steps of: 

(a) defining said degree of access to said oper- 
ating system resources for said software pro- 
gram; 

(b) examining at least one fiis associated with 
said software program to determine the degree 
of syste.m-!8vel access ayaliabis to said soft- 
wars program when said software program is 
being executed by said computer; 

(c) executing said software program on said 
corrputer; 

(d) intercepting a program i.^struction associ- 
ated with said software program when said 
software program is being executed on said 
computer; 

(e) determining if said program instruction 
includes an operation that is outside said 
degree of system-ievsi access available to said 
software program; and 

(f) executing program instruction wtien t{ is 
determined that said software program has 
permission to access sysSem-ievei resources 
associated with said corrputer that are within 
the degree of systsm-ieve! access available to 
said software program. 

2. A method as recited in claim 1 wherein said step of 
determining if said prog.ra.m instruction includes ar^ 
operation that is outside said dsg-ee of system- 
Isvei access availabie to said software prc^ram 
comprises validating an identifier associated with 
said software program. 

3. A msfriod as recited in any one of the preceding 
claims wherein said step of executing said pr<^ra.m 
instruction comprises determining if said system- 
level resources being accessed by said program 
instruction are protected system-ievel resources. 

4. A method as recited in any one of the preceding 
claims wherein said software program comprises 
an applet. 

5. A method as recited in claim 4 wherein said appiet 
is a Java appiet. 

6. A method as recited in one of claims 4 and S 
wherein said applet is associated with 3 header, 
said header being arranged to include an identifier, 
said identifier being arrange<f to identify said an ori- 
gin of said file. 

7. A method as recited in daim 6 furth^ including the 
step of validating said identifier so determine if said 
ccmputar has permission to access said system- 
ievel resources. 
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8. A method as recited in one of ciaims 4-7 wherein 
said oofTipiiter is a ciierit corrputer and said appiet 
is dawnloaded So said ciient cotrputef from a server 
computer. 

9. A method as fecitsd in ciaim S whereir^: 

{a) said step of sxatrilntng includes determining 
the degree of system-isvei access to said 
server that is avaiiabie tc said ap^piet when said io 
applet is being executed by said client compu- 
ter as defined by said delining a degree of 
access tc said system-is/ei resoufces associ- 
ated with said server computer for said applet; 
{b) said step of dstermining irsdudss determin- is 
ing if said prografn instruction to access sys- 
tsiin-levei resources associated with said 
server corrputer includes an operation that is 
outside said degree of system-ievei access 
availatoie to said appiet; and zo 
(c) said step of executing inciudes executing 
said pnagrarr! instruction So access systern- 
leve! resources associated with said server 
computer when it is determined that said applet 
has permission to access system-levei zs 
resources associated with said server conpu- 
ter tiiat are wiShin the degree of system-leve! 
access available tc said appiet. 

10. A rrssthod for cofitroiiing She degree of access to 30 
operating sysism resources for a software program 
rjnnir;g on a dient computer which client computer 

Is running sa.k3 operating system, wherein at least 
some of said operating system resources reside on 
a server corauter that is coupled with said client 3s 
computer through a computer r^etwork, the mettiod 
comprising She steps of: 

(a) defining said degree of access to said oper- 
ating system resources iar said software pro- -to 
gram; 

■b) loadirig at least one file including instruc- 
tors for executing sa.id software progran) on 
said ciierit computer; 

(c) examining said at least one file to determine « 
the degree of system-leve! access avaiiabie to 
said soffware program when said software pro- 
gram is being executed by said client computer 
as defined by said step of defining said degree 
of access; .w 
{d) executing sad software program on said di- 
ent corrputer; 

(e) intsfcepting a program instruction associ- 
ated with said software program when said 
software program is being executed on said di- 5= 
ent computer; 

(f) determining if said program instruciion 
includes an operation that is outside said 



degree of system-ieval access avaif3i5ls to said 
software program; and 

(g) executing said program Instruction when it 
is determined that said software program has 
permission to access system-iswsi resources 
that are within the degree of sysSem-levei 
access avaiiabis So said software program. 

11. A method as recited in clsim '0 wherein said step 
of dstermining if said program instruction indudes 
an operation that is oufside said degree of system- 
ievei access avaiiabie to said software program 
comprises vaiidating an identifier associated with 
said software program. 

12. A method as recited in ms of claims 10 and 11 
wherein sasd step of executing said program 
instruction comprises determining if said sysSem- 
levs! resources being accessed by said program 
instruction are protected system-level resources. 

13. A method as redted in one of ciaim 10-12 further 
induding the steps of; 

estafc^ishing a data transfer communication link 
between said ciient corrputer and said server 
conputer across said computer network; and 
transmstJing said at isast one file from said 
server compuSer to said client computer across 
said computer network. 

14. A method for processing a request from a client to 
access a system resource associated wiSfi a first 
server, method comprising the steps of; 

(a) calling a second server tc initiate a down- 
load of files that are relevant to said request; 
{bi loading said relevant files from said second 
server, said relevant files including an archive 
file, said archive file inclsjding at least one class 
file and a header, said header including an 
idenSifier arranged to indicate the origin of said 
archive fiie; 

(c) validating said archive file; 

(d) converting said class file into an appiet; and 

(e) executing said appiet, said applet including 
at least one instruction, wtjerein executing said 
applet ertables said client to access said sys- 
tem resource associated with said first serv®-. 

1 5. A method for processing a rsquesS as reefed in 
daim 1 4 wherein said step of validating said archive 
file includes the sub-sts5ps of; 

(a) authenticating said header; 

(b) dstermining whether said header is valid; 
and 

(c) performing s class verification on said dass 
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when it is determined that said heaSer is valid. 

1 6. A method for processing a request as recited ir, one 
of daims 14 and 15 wherein said step of executing 
said applet includes the sub-st^s cf ; s 

{a) determining whettier said inst-uction is an 
Instructior! tc execute a protected operstion ; 
(b) executing said operation whsfj it is deter- 
mined that said instruction is not an instruction lo 
to execute a protected operation; and 
■(c) determining whether said operation is 
allowed when it is determined that said instruc- 
tson is an instruction tc exfjciile a protected 
operatjon. js 

17. A computer system for controtiing the degree of 
access tc operating system resources comprising: 

a first conputer coupled witfi at least one mem- ^c- 
Ofy device which hoids ttierein at least one file 
inciudi-ng instructions for executing a software 
program, said software program running on 
said fijst computer, said first computer running 
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IS. A computer system according to claim '7 wherein 
said first computer is arranged to determine if said 
system-ieve; resources being accessed by said 
program instructian are prcteaed system-ieveS 
resources. 

19. A computer-readaijle medium comprising compu- 
tsr-readsb)e p:Qgram code devices oonflgursd to 
cause a conputer to pericrm the actions cf: 

(a) defining said degree of access to said oper- 
ating system resources for said software pro- 
gram; 

{b) examining at least one file associated witt 
said softwa-i-s program to determine the degree 
of system-levei access available to said soft- 
ware program when said software program is 
being executed by said computer; 

(c) executing said software program on said 
computer; 

(d) intercepting a program instruction associ- 
ated with said software program when said 
software program is being executed on said 
computer; 

{e) determining if said program instruction 
indudes an operation that is outside sad 
degree of system-! eves access available to said 
software program; and 

(f) execut ng said program ifisSrurtion when it is 
determined that said software program has 
permission to access system-level resources 
associated with said computer that are within 
the degree of system-iavel access available to 
said software program. 



said operating system, said first computer ss 
being corttgured to: 

(a) define said degree of access to said 
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